Hacking Team Breach Summary

[The news on Twitter, on the media, and across the infosec community in the last days have been fascinating to due to the revelations from the Hacking Team breach. Details about how the company operates, information about espionage and surveillance, zero days exploit catalogs, all the secrets and drama make this story ready for someone to write a book about it. Because I was on vacations while all this happened, I decided to write a short summary about it in order to catch-up. LR]

Sunday night, 5th of July, newsstartedmakingtherounds about 400Gb of data stolen from the notorious Italian surveillance software company Hacking Team. With a quite epic start, the person behind the attack – someone that goes by the name Phineas Fisher – hijacked the company twitter account, changed the handler from Hacking Team to Hacked Team and posted the following message: “Since we have nothing to hide, we are publishing all our emails, files, and source code” with a torrent link to download the data.

Shortly after, on the same twitter handle, print screens about the leaked data started to disseminate internal company emails, their clients and operating procedures. This continued for at least half day. Some hours later their list of clients have been posted on Pastebin revealing some questioning relationships with countries known for human rights violations. The company has been subject to criticism several times over the past years regarding the unethical sale of surveillance tools. CitizenLabs and Reporters Without Borders were organizations that went vocal in the past regarding their questionable practices. That known, the news were expected to have a lot of attention by the media, journalists, activists and others.

Meanwhile, as this was not enough, one of the companies employees Christian Pozzi came publicly to support the company. Unfortunately for him, his personal passwords were on the massive amount of data leaked. Worse was that the quality of the passwords were weak and moments after his initial twitter post, his twitter account got hijacked as well and his passwords posted online and twitted.

Following, when people all over the world started to get their hands on the torrent file all kinds of confidential information started to arise. Sales revenue, contracts, budgets plans, agreements, emails, operating manuals, configuration files, source code, zero day exploit catalogs, and all kind of business and technical information started to be on the internet. Wikileaks indexed and made searchable all their emails.

The days after the breach have been quite revealing due to their software and capabilities – their main business is security services and tools to governments and law enforcement organizations – specially for the information security community due to the number on unknown zero day vulnerabilities exposed and their surveillance software. But, on the other hand, the criminals soon started to use the source code and exploits on spear phishing campaigns and the Neutrino and Angler exploit Kits started to leverage the Flash 0 days while Adobe and Microsoft were working on releasing patches. This topic deserves a post on its own and I will write a summary about it soon.

As expected, the company started to investigate who has been behind the breach. According to Reuters Italian prosecutors are investigating six former employees. Ars Technica also reports this here.

In the last days, Eric Rabe and David Vincenzetti, Hacking Team Chief Communications Officer and CEO respectively, have been quite brave and their twitter handler continues to post updates. On the company website there were several news released about this topic. Among other things they seem to have requested all their clients to suspend their operations and asked the Anti Virus companies to start detecting their software.

Phineas Fisher who claims to be the actor behind the breach used his dormant twitter account writing that he will released the details on how the company got hacked. Stay tuned!